Step 0: Preparing for the walkthrough Step 1: Do the Account A tasks Step 2: Do the Account B tasks Step 3: (Optional) Try explicit deny Step 4: Clean up

Example 2: Bucket owner granting cross-account bucket permissions

Important

Granting permissions to IAM roles is a better practice than granting permissions to individual users. To learn how to do this, see Background: Cross-account permissions and using IAM roles.

An AWS account—for example, Account A—can grant another AWS account, Account B, permission to access its resources such as buckets and objects. Account B can then delegate those permissions to users in its account. In this example scenario, a bucket owner grants cross-account permission to another account to perform specific bucket operations.

Note

Account A can also directly grant a user in Account B permissions using a bucket policy. But the user will still need permission from the parent account, Account B, to which the user belongs, even if Account B does not have permissions from Account A. As long as the user has permission from both the resource owner and the parent account, the user will be able to access the resource.

The following is a summary of the walkthrough steps:

Account A administrator user attaches a bucket policy granting cross-account permissions to Account B to perform specific bucket operations.

Note that administrator user in Account B will automatically inherit the permissions.
Account B administrator user attaches user policy to the user delegating the permissions it received from Account A.
User in Account B then verifies permissions by accessing an object in the bucket owned by Account A.

For this example, you need two accounts. The following table shows how we refer to these accounts and the administrator users in them. Per the IAM guidelines (see About using an administrator user to create resources and grant permissions), we don't use the root user credentials in this walkthrough. Instead, you create an administrator user in each account and use those credentials when creating resources and granting them permissions.

AWS account ID	Account referred to as	Administrator user in the account
`1111-1111-1111`	Account A	AccountAadmin
`2222-2222-2222`	Account B	AccountBadmin

All the tasks of creating users and granting permissions are done in the AWS Management Console. To verify permissions, the walkthrough uses the command line tools, AWS Command Line Interface (CLI) and AWS Tools for Windows PowerShell, so you don't need to write any code.

Step 0: Preparing for the walkthrough

Make sure you have two AWS accounts and that each account has one administrator user as shown in the table in the preceding section.
1. Sign up for an AWS account, if needed.
2. Using Account A credentials, sign in to the IAM console to create the administrator user:
  1. Create user AccountAadmin and note down the security credentials. For instructions, see Creating an IAM user in Your AWS account in the IAM User Guide.
  2. Grant AccountAadmin administrator privileges by attaching a user policy giving full access. For instructions, see Working with Policies in the IAM User Guide.
3. While you are in the IAM console, note down the IAM user Sign-In URL on the Dashboard. All users in the account must use this URL when signing in to the AWS Management Console.
  
  For more information, see How Users Sign in to Your Account in IAM User Guide.
4. Repeat the preceding step using Account B credentials and create administrator user AccountBadmin.
Set up either the AWS Command Line Interface (CLI) or the AWS Tools for Windows PowerShell. Make sure you save administrator user credentials as follows:
- If using the AWS CLI, create two profiles, AccountAadmin and AccountBadmin, in the config file.
- If using the AWS Tools for Windows PowerShell, make sure you store credentials for the session as AccountAadmin and AccountBadmin.
For instructions, see Setting up the tools for the example walkthroughs.

Save the administrator user credentials, also referred to as profiles. You can use the profile name instead of specifying credentials for each command you enter. For more information, see Setting up the tools for the example walkthroughs.

Add profiles in the AWS CLI credentials file for each of the administrator users in the two accounts.


[AccountAadmin]
aws_access_key_id = access-key-ID
aws_secret_access_key = secret-access-key
region = us-east-1

[AccountBadmin]
aws_access_key_id = access-key-ID
aws_secret_access_key = secret-access-key
region = us-east-1

If you are using the AWS Tools for Windows PowerShell


set-awscredentials –AccessKey AcctA-access-key-ID –SecretKey AcctA-secret-access-key –storeas AccountAadmin
set-awscredentials –AccessKey AcctB-access-key-ID –SecretKey AcctB-secret-access-key –storeas AccountBadmin

Step 1: Do the Account A tasks

Using the IAM user sign-in URL for Account A first sign in to the AWS Management Console as AccountAadmin user. This user will create a bucket and attach a policy to it.

Step 1.2: Create a bucket

In the Amazon S3 console, create a bucket. This exercise assumes the bucket is created in the US East (N. Virginia) Region and is named DOC-EXAMPLE-BUCKET.

For instructions, see Creating a bucket.
Upload a sample object to the bucket.

For instructions, go to Step 2: Upload an object to your bucket.

Step 1.3: Attach a bucket policy to grant cross-account permissions to Account B

The bucket policy grants the s3:GetLifecycleConfiguration and s3:ListBucket permissions to Account B. It is assumed you are still signed into the console using AccountAadmin user credentials.

Attach the following bucket policy to DOC-EXAMPLE-BUCKET. The policy grants Account B permission for the s3:GetLifecycleConfiguration and s3:ListBucket actions.

For instructions, see Adding a bucket policy by using the Amazon S3 console.


{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Example permissions",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::AccountB-ID:root"
         },
         "Action": [
            "s3:GetLifecycleConfiguration",
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
         ]
      }
   ]
}

Verify Account B (and thus its administrator user) can perform the operations.

Using the AWS CLI


aws s3 ls s3://DOC-EXAMPLE-BUCKET --profile AccountBadmin
aws s3api get-bucket-lifecycle-configuration --bucket DOC-EXAMPLE-BUCKET --profile AccountBadmin

Using the AWS Tools for Windows PowerShell


get-s3object -BucketName DOC-EXAMPLE-BUCKET -StoredCredentials AccountBadmin 
get-s3bucketlifecycleconfiguration -BucketName DOC-EXAMPLE-BUCKET -StoredCredentials AccountBadmin

Step 2: Do the Account B tasks

Now the Account B administrator creates a user, Dave, and delegates the permissions received from Account A.

Using the IAM user sign-in URL for Account B, first sign in to the AWS Management Console as AccountBadmin user.

Step 2.2: Create user Dave in Account B

In the IAM console, create a user, Dave.

For instructions, see Creating IAM Users (AWS Management Console) in the IAM User Guide.

Step 2.3: Delegate permissions to user Dave

Create an inline policy for the user Dave by using the following policy. You will need to update the policy by providing your bucket name.

It is assumed you are signed in to the console using AccountBadmin user credentials.


{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Example",
         "Effect": "Allow",
         "Action": [
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
         ]
      }
   ]
}

For instructions, see Working with Inline Policies in the IAM User Guide.

Step 2.4: Test permissions

Now Dave in Account B can list the contents of DOC-EXAMPLE-BUCKET owned by Account A. You can verify the permissions using either of the following procedures.

Test using the AWS CLI

Add the UserDave profile to the AWS CLI config file. For more information about the config file, see Setting up the tools for the example walkthroughs.
```
[profile UserDave]
aws_access_key_id = access-key
aws_secret_access_key = secret-access-key
region = us-east-1
```
At the command prompt, enter the following AWS CLI command to verify Dave can now get an object list from the DOC-EXAMPLE-BUCKET owned by Account A. Note the command specifies the UserDave profile.
```
aws s3 ls s3://DOC-EXAMPLE-BUCKET --profile UserDave
```
Dave does not have any other permissions. So if he tries any other operation—for example, the following get bucket lifecycle configuration—Amazon S3 returns permission denied.
```
aws s3api get-bucket-lifecycle-configuration --bucket DOC-EXAMPLE-BUCKET --profile UserDave
```

Test using AWS Tools for Windows PowerShell

Store Dave's credentials as AccountBDave.


set-awscredentials -AccessKey AccessKeyID -SecretKey SecretAccessKey -storeas AccountBDave

Try the List Bucket command.
```
get-s3object -BucketName DOC-EXAMPLE-BUCKET -StoredCredentials AccountBDave
```
Dave does not have any other permissions. So if he tries any other operation—for example, the following get bucket lifecycle configuration—Amazon S3 returns permission denied.
```
get-s3bucketlifecycleconfiguration -BucketName DOC-EXAMPLE-BUCKET -StoredCredentials AccountBDave
```

Step 3: (Optional) Try explicit deny

You can have permissions granted via an ACL, a bucket policy, and a user policy. But if there is an explicit deny set via either a bucket policy or a user policy, the explicit deny takes precedence over any other permissions. For testing, let's update the bucket policy and explicitly deny Account B the s3:ListBucket permission. The policy also grants s3:ListBucket permission, but explicit deny takes precedence, and Account B or users in Account B will not be able to list objects in DOC-EXAMPLE-BUCKET.

Using credentials of user AccountAadmin in Account A, replace the bucket policy by the following.


{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Example permissions",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::AccountB-ID:root"
         },
         "Action": [
            "s3:GetLifecycleConfiguration",
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
         ]
      },
      {
         "Sid": "Deny permission",
         "Effect": "Deny",
         "Principal": {
            "AWS": "arn:aws:iam::AccountB-ID:root"
         },
         "Action": [
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
         ]
      }
   ]
}

Now if you try to get a bucket list using AccountBadmin credentials, you will get access denied.
- Using the AWS CLI:
```
aws s3 ls s3://DOC-EXAMPLE-BUCKET --profile AccountBadmin
```
- Using the AWS Tools for Windows PowerShell:
```
get-s3object -BucketName DOC-EXAMPLE-BUCKET -StoredCredentials AccountBDave
```

Step 4: Clean up

After you are done testing, you can do the following to clean up.
1. Sign in to the AWS Management Console (AWS Management Console) using Account A credentials, and do the following:
  - In the Amazon S3 console, remove the bucket policy attached to DOC-EXAMPLE-BUCKET. In the bucket Properties, delete the policy in the Permissions section.
  - If the bucket is created for this exercise, in the Amazon S3 console, delete the objects and then delete the bucket.
  - In the IAM console, remove the AccountAadmin user.
Sign in to the AWS Management Console (AWS Management Console) using Account B credentials. In the IAM console, delete user AccountBadmin.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Granting permissions

Granting object permissions